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Editor’s Comments 


Welcome to volume 14, issue 1 of the Journal of Physical Security (JPS). In addition to the 
usual editor’s rants and news about security that appear immediately below, this issue has 
papers about R&D tax credits for physical security, pinhole cameras for surreptitious 
surveillance, insider threat issues, tamper-indicating seals for fast food in the era of Covid, 
and security for sealed radiological sources. 


All papers are anonymously peer reviewed unless otherwise noted. We are very grateful 
indeed to the reviewers who contribute their time and expertise to advance our under- 
standing of security without receiving recognition or compensation. This is the true sign of 
a professional! 


Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up 
there to be notified by email when a new issue becomes available. A cumulative table of 
contents for the years 2004 through 2019 is available at http://rbsekurity.com/ 

PSArchives/grand jps TOC.pdf 


JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small 
company devoted to physical security consulting, vulnerability assessments, and R&D 
(http://rbsekurity.com). 


As usual, the views expressed in these papers and the editor’s comments are those of the 
author(s) and should not necessarily be ascribed to their home institution(s), employer, 
other authors in this issue, or Right Brain Sekurity. 


RK KKK 


Shock and Awe 


In my view, the January 6 insurrection at the Capitol Building in Washington, D.C. 
confirms some general principles about security: 


1. Security Maxim #119: Layered security will usually fail stupidly. 

2. Security Maxim #109: A lack of imagination and effective vulnerability assessment is 
the most common cause of security failure—the failures in threat analysis, intelligence, 
management, and communication in this case notwithstanding. 

3. Security Maxim #80: Warning about threats and especially vulnerabilities will usually 
be ignored or even attacked. (See also https://www.nbcnews.com/politics/politics-news 
isn-t-final-chapter-analyst-warns-again-about-rise-right-n1253950.) 

4. Security Maxim #137: Too often, the good guys think they can define the security, 
when in fact the bad guys get to. It is telling, I believe, to hear how Capitol Police were 
“shocked” that rioters climbed the “off-limits” Capitol steps after swarming the barriers. 
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5. Security Maxim #89: The main purpose of an investigation after a serious security 
incident is not to fix the problems, but rather to assign blame, pass the buck, engage in 
finger-pointing, and choose scapegoats. 


Iam getting tired of seeing the same old security blunders over and over again! 


For more discussion, see RG Johnston, “Avoiding Shock and Awe’, Journal of Physical 
Security 9(1), 26-48 (2016) and RG Johnston, Vulnerability Assessment: The Missing Manual 


for the Missing Link, https://www.amazon.com/dp/BO8C9D73Z9 


RK KKK 


Good Advice 


If your child goes missing while you are out in public with him/her, don't look for them 
frantically and quietly, look for them loudly: 


KR KKK 


"Alexa: Go Hack Yourself!" 


Electronic products that understand the human voice such as Amazon's Echo, Apple's 
HomePod, Google's Assistant, and even smartphones to some extent can be hacked at a 
distance if there is a clear line-of sight. Recent experiments show that an appropriate voice 
command can be recorded, then used to modulate a small, relatively low power laser. The 
laser would be shined on the voice-understanding electronics from some distance, 
including through a glass window, and the device will obey the command. The modulated 
light gets turned into vibrations that the voice-activated devices recognize as a voice 
command. 


A simple countermeasure is to keep your voice-understanding devices away from 
windows and out of site from outside your home or office. 


RK KK 


Lava Lamp Love In 


The company Cloudfare uses the random motion of lava lamps to generate random 
number seeds for cryptographic keys. This is not as goofy as it sounds (though putting the 
lava lamps in their lobby might be). Such hardware-generated seeds avoid the bad 
behaviors and poor security of pseudorandom number generators used by many 
computers. 
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KKK K 


In-Bed with Security 
Texas Instruments has an excellent guide out entitled, "Building You Application with 


Security in Mind: Guide to Embedded Security". It is mostly about cyber security, but may 
nevertheless provide some thought triggers for other areas of security. 


RK KKK 


The Mandela Effect 


For an interesting article on false memory, see https://getpocket.com/explore/item/10- 
examples-of-the-mandela-effect?utm source=pocket-newtab. 


KR KKK 


Paradox Mindset 


Embracing opposing demands and viewpoints, rather than fleeing from them, is a key to 
ereauvty and leadership (and, ] believe, to good security): 


to- ae, wraionetal: link.email. 
oh2K KKK 
Security of Ballot Collection Boxes 


Probably not the biggest election security issue but... 
https: /www.forbes. com/sites marcwebertobias 2020/11/09/the-security-of-ballot- 


KKK KK 


Face the Biometric Problems 


Yet another example of biometrics failing: 


arrest- celal: spenuoe ition: cme html. 


RK KKK 


ill 
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The High Cost of Cheap Security 


Bruce Schneier had an interesting and articulate opinion piece in the New York Times 
about scrimping on security: https://www.nytimes.com/2021/02/23/opinion/solarwinds-hack.html. 


KK KKK 


Spoiler Alert: How It All Ends 


For a mind-blowing, but remarkably understandable description of cosmology, how the 
universe began, and how it will likely end, check out the January 2021 issue of Astronomy: 
https://astronomy.com/issues. 


KK KKK 


An Example of Security Maxim #80 (Feynman's Maxim): "Organizations will fear 
vulnerability assessors and others who point out security problems more than the 
actual adversaries." 


Just when you were maybe feeling a little sorry for the voting machine companies 
because they were arguably getting slandered... Election Systems and Software (ES&S) sent 
cease and desist letters to organizations simply for highlighting proven security 
vulnerabilities. Not exactly a healthy Security Culture! See 


A Voting Machine Company Threatens Researchers for Exposing Valid Security Flaws." 


KK KKK 


Elephants 


In 2013, scientists attempted to teach elephants the meaning of pointing. It turned out to 
be unnecessary, as they already understood the concept. That automatically makes them 
more intelligent that a lot of the managers and bureaucrats that I have dealt with in my 


career. See https://science.time.com/2013/10/10/brainy-elephants-one-more-way- 
theyre-as-smart-as-humans/. 


KK KKK 
More About Animals 


Does mel life make animals smarter? See https: seg ean com/future/article/ 


KKK KK 


iv 
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And Even More About Animals 


On Vladimir Putin’ Ss many crimes: https: Liwww.theguardian. caaujene parame 
1-i 


person- financier: exstifies https: //www.atlanticcouncil.org/in-depth-research-reports 


report/ russia- after-putin- report/ 


KKK 


Porch Pirate 


Sometimes, the bad guys aren’t all that clever. 


KK KKK 


Testing Security 


Who says there is no rigorous testing of security products anymore? Check out this story: 


KK KK 


Cock Sure Security (or Protecting the Family Jewels) 


You can read about cyber attacks on male chastity devices here: https://www.bbc.com/ 


news/technology-54436575 and https://www.vice.com/en/article/m7apnn/your-cock- 
is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom. 


Call me old-fashioned and a romantic, but I think sex toys shouldn't be connected to the 
Internet. Local Bluetooth ought to be good enough. 


KK KK 


-- Roger Johnston 
Oswego, Illinois 
March, 2021 


Journal of Physical Security 14(1), 1-9 (2021) 


Physical Security R&D Tax Credits 


Charles R. Goulding 
Attorney/CPA, President of R&D Tax Savers 


WSU Insider 


Introduction 
The Federal R&D tax credit is an innovation incentive. It promotes both economic growth 
and job creation. 


Any firm has the potential to qualify. The litmus is not the firm but the activity involved. 
That activity has to (1) be technical, (2) involve consideration of design alternatives, (3) 
eliminate uncertainty, and (4) result in the acquisition of new knowledge to the company. 


When a company’s project—be it a new or improved product, process, or software 
development—dqualifies for the R&D tax credit, applicable employee time is the largest 
driver of the credit calculation. 


On December 18, 2015, President Obama signed the bill making the R&D tax credit 
permanent. Beginning in 2016, the credit has been used to offset the Alternative Minimum 
Tax (AMT), and startup businesses can utilize the credit against $250,000 per year in 
payroll taxes. Companies can now plan and pursue projects that are innovative but slightly 
risky, and utilize the R&D tax credit to help fuel their R&D efforts. 


The Credit for Increasing Research Activities, or the R&D tax credit, as defined in US IRC 
Code, Section 41, allows all of the following to be included in calculating the credit: 
amounts paid by the taxpayer for in-house research expenses, contract research expenses, 
expenses related to supplies consumed in the R&D process (tangible property other than 
land and property subject to depreciation), as well as certain expenses related to obtaining 
a patent. 
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The credit calculation for companies is completed on IRS Form 6765, where the credit 
amount can then reduce the company’s tax liability, dollar-for-dollar. In instances where 
the business is organized as a flow-through entity, the R&D tax credit can reduce the tax 
liability, dollar-for-dollar, on the owner’s personal tax return. 


While there is no specific application to the Internal Revenue Service to obtain the R&D 
tax credit, contemporaneous documentation is required to be maintained by the taxpayer 
in the unlikely event of an audit. Our firm does a comprehensive R&D Study that includes 
contemporaneous documentation for each and every one of our clients, regardless of 
whether they are our billion dollar client or our small software start-up. 


This paper draws on the many physical security projects our R&D tax credit engineers 
have completed, including airport security, facial recognition, law enforcement technology, 
retail theft protection, building security, and fire protection. Information about other 
physical security projects that have benefitted from the R&D tax credit is also available, 
including those involving gun, smart gun, and cyber security developments. Our firm has 
handled R&D tax credit projects for firms in the physical security industry, as well as for 
firms that are in other industries but made a significant effort to develop and improve their 
physical security systems for their business operations. 


Physical Security at a Glance 

Physical security is a highly complex, multifaceted challenge. It encompasses all of the 
physical measures designed to safeguard personnel; to prevent unauthorized access to 
equipment, installations, material, and documents; and to protect against numerous 
threats, such as theft and damage. The diversity of potential menaces to physical security 
calls for multilayered, flexible solutions that use innovative technology to keep up with 
ever-changing risks. 


Before the pandemic, physical security had a 2020 projected growth rate of 6.5%, from 
$103bn to $110bn in sales. Despite flattened sales due to COVID 19, innovation within the 
field has continued apace. One underlying theme is that physical security technology builds 
off of many other current technologies, including artificial intelligence, the Cloud, drones, 
sensors, and improved cameras. 


Protecting People: Personal Physical Security 

Physical security accessories, such as Tasers, bulletproof vests, and body-worn cameras, 
can save lives and reduce exposure to injuries. They constitute invaluable assets for 
numerous professionals, particularly security personnel and police officers. The following 
sections discuss recent innovation trends in technology designed for personal protection. 


Non-Lethal Weapons 
Electroshock weapons temporally incapacitate neuromuscular transmission, disrupting 


voluntary muscle control through the stimulation of sensory and motor nerves. This kind 
of weaponry is often preferred to other less-lethal force options due to its overall 
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effectiveness, which presents virtually no variation relative to the subject’s pain tolerance, 
drug use, or body size. Electroshock weapons are often divided into three categories, 
namely, (1) those that work through direct contact, such as stun guns and cattle prods; (2) 
the so-called conducted electrical weapons (CEW), which fire dart-like electrodes that 
deliver shocks through thin wires that remain connected to the gun; and (3) wireless long- 
range electroshock weapons. 


Though undoubtedly an important means of self-defense and law enforcement, non- 
lethal weapons are often subject to criticism. When it comes to technical shortcomings, the 
first two categories have obvious limitations of range, which is restricted to the arm’s reach, 
in one case, and to the length of the wire, in the other. The third type, though capable of 
reaching more distant targets, presents higher risks of death and serious injuries, due to 
the speed of the projectile and the inability to control the shock after firing. Costly 
ammunition and an inconveniently large size are also drawbacks of long-range non-lethal 
weapons. 


Numerous innovative companies are entering the $8.5 billion non-lethal weaponry 
market with the objective of overcoming the limitations of existing technology. For 
instance, Digital Ally in Lenexa Kansas is working on a wirelessly controlled electronic 
weapon that is more compact and easier to carry than those currently available. Other 
proposed improvements include enhanced accuracy, reduced projectile speed, and post- 
firing control of the shock via radio frequency. 


A more traditional player in this market, TASER International in Scottsdale, Arizona is 
also innovating through the development of a line of smart weapons designed to save lives 
and reduce injuries. With advanced firing logs, these weapons enable highly accurate 
reports that help understand the reasoning behind the decisions made in the field. Sensor 
technology registers, for instance, how long a weapon was armed and when the trigger was 
held. Other technical improvements incorporated into TASER’s latest CEW products 
include dual lasers for enhanced accuracy, an audible warning to facilitate voluntary 
surrender, and a smart cartridge that reduces accidental discharge. More importantly, 
there is the possibility of a backup shot, which is a major breakthrough in a field dominated 
by single-shot weapons. 


Bulletproof Vests 


Bullet-resistant vests are designed to absorb the impact and stop or reduce penetration 
of firearm-fired projectiles and fragments from explosions. They work by dispersing the 
energy from incoming projectiles across multiple layers of material. The very strong fibers 
in their composition “trap” the bullet and slow it down to a full stop. 


There are generally two kinds of bulletproof vests: (1) “Soft vests” are usually made of 
para-aramids, which are essentially plastics woven into fibers, or of Ultra-High-Molecular- 
Weight Polyethylene (UHMWPE), a gel-spun, multi-filament fiber also made from plastic. 
Though 


Journal of Physical Security 14(1), 1-9 (2021) 


presenting very high levels of strength-to-weight ratio, these materials remain flexible and 
are capable of absorbing significant amounts of energy, thus being effective against most 


kinds of small-caliber ammunition. (2) “Hard vests”, on the other hand, are designed to 
offer protection in extreme situations involving higher-caliber threats, including rifle 
rounds. In addition to the fibers used in soft vests, these reinforced armors incorporate 
plates of ceramic, steel, or titanium. Because of the extra layers of protection, hard vests are 
heavier and thicker than soft ones. 


Despite the general distinction between hard and soft vests, more technical 
classifications, such as the one from the US National Institute of Justice (NIJ), refer to 
different ballistic levels. The choice of armor to wear should take into consideration the 
likely threats to be faced. Recent events involving the deaths of police officers point to an 
increasing use of hard vests. For instance, Texas Lt. Gov. Dan Patrick recently asserted that 
he would ask legislators for up to $20 million to provide 40,000 police officers with 
reinforced vests. 


In addition to ballistic protection, a growing number of body armors offer spike and stab 
threat protection. Spike threats refer to sharp pointed objects, such as needles and ice 
picks, while stab threats take the form of edged blade attacks. Protection against both of 
these menaces is important to various professionals, such as prison guards, bouncers, and 
bodyguards. 


Innovation in body armors is key for enabling enhanced protection and greater comfort. 
Outstanding challenges include the development of thinner, lighter, and more flexible vests 
that maintain high levels of ballistic protection. Improved ergonomics as well as cooling 
systems are also priorities, especially when targeting prolonged users in hot or humid 
conditions. Promising areas for body armor innovation include the field of “biomimetics”, 
which draws inspiration from nature (such as the scales of fish). This line of research can 
take advantage of 3D printing technology, which has emerged as a valuable asset in the 
quest of understanding how materials are formed and utilized in nature. 


With offices in Rogersville, Missouri, worldwide manufacturer and distributor of body 
armors Safeguard Armor illustrates the importance of continuous innovation. The 
company points to the immense potential of unusual materials, such as wood pulp, which 
can be used to create ballistic-resistant nanocellulose, and graphene, a sheet of single 
carbon atoms that can absorb considerably more energy than currently available materials. 


Among the most exciting recent developments in bulletproof vests are “liquid” body 
armors. Polish company Moratex has developed an innovative material called Shear- 
Thickening Fluid (STF), which constitutes a lighter and more flexible alternative to 
traditionally used materials. STF increases in viscosity when exposed to impact, behaving 
like a solid when struck with fast-moving projectiles. It is further designed to reduce 
indentation when hit by bullets, thereby lessening the impact felt by the wearer and 
reducing risks of injury. 
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Body-Worn Cameras 
Video evidence systems are designed to work not only as a deterrent mechanism but to 


help increase both the transparency and accountability of police officers and security 
personnel. Despite the ongoing proliferation of such systems, recent events have brought 
their effectiveness into question. In this scenario, innovation is key to enabling the 
necessary improvements to existing technology. The following paragraphs present recent 
advancements by innovative companies in the field of body-worn security cameras, whose 
work exemplify the kinds of efforts that could potentially qualify for federal R&D tax 
credits. 


In October 2016, Axon, a business unit of TASER International, unveiled a new generation 
of police body cameras, designed to overcome the limitations of previous solutions. The 
innovative Axon Flex 2 automatically turns on in certain predetermined situations, such as 
opening a car door, unlocking a weapon, or turning on the overhead lights and siren. In 
addition, there is a “buffer” that starts recording up to two minutes before the officer 
pushes the start button. These features aim to overcome common criticisms to existing 
technologies that often rely on the discretion of the user to be turned on and off, leaving 
many unanswered questions. 


With offices in Huntersville, North Carolina, British security and investigations company 
Reveal Media has also invested in new technologies for video evidence. With award- 
winning design, the RS2 body camera features a front facing screen and an intuitive one- 
touch record function. Besides providing enhanced low light performance and clearer 
sound, the solution uses advanced compression technology to facilitate the upload and 
storage of files as well as an AES-256 encrypted memory for improved security. 


Safety Innovations in Logan, Utah designs highly resistant body-worn cameras that can 
withstand even the toughest working conditions. The company’s innovative VidMic VX 
integrates a radio microphone with the camera, allowing for a lighter duty gear load while 
keeping the equipment practical and discreet. The solution is compatible with over 200 
models of commonly used radios. 


Another important provider of video evidence solutions is Newark, New Jersey-based 
Panasonic Corporation of North America, subsidiary of Japanese Panasonic Corporation. 
The company has experienced a 180 percent year over year growth in its mobile evidence 
capture division, which includes products such as the Arbitrator 360° HD, an in-car digital 
video recording system that supports up to five cameras working simultaneously to 
generate full 360-degree views and maximize situational awareness. Panasonic also 
produces the Arbitrator BWC, a body-worn solution that provides 130 degrees of evidence 
capture with GPS metadata, pre- and post-event recording, and WiFi for easy offloading. 
Designed to make the most of the available visual data, a unified evidence management 
system brings together the company’s mobile and fixed video solutions, allowing users to 
analyze and preserve every link in the chain of evidence. 


Also a provider of law enforcement video systems, WatchGuard Video is a four-time 
winner of the Dallas 100 Award honoring the fastest growing, privately held businesses in 
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the Dallas area. Located in Allen, Texas, it has a longstanding commitment to R&D, which 
has resulted in 12 issued U.S. patents plus 12 additional pending patents. Innovative 
capabilities include the record-after-the-fact feature, which enables users to gather critical 
evidence with up to one-day delay, and the ultra-wide dynamic range, a solution to common 
problems, such as blown-out, overexposed, and underexposed images. WatchGuard’s 
technology dramatically improves nighttime video quality through a dual-exposure 
mechanism that takes two separate images (a dark exposure and a light exposure) and 
automatically blends the two images into a single video frame. 


Protecting Spaces: Perimeter Security Systems 

Physical perimeter security is understood as the use of mechanical or electronic systems 
to protect people and assets within a facility, making intrusions less likely. It refers to the 
outermost layer of security and includes fences, walls, and other physical barriers as well as 
intrusion detection systems and electronic surveillance. The effectiveness of a perimeter 
security system is directly affected by its adequacy to the risks requiring protection, the 
sophistication of potential intruders, and the probable means of penetration. According to 
a 2016 report by Research and Markets, the global perimeter security market is expected to 
grow at an 8 percent compound annual growth rate between 2015 and 2021, reaching 
$21,000 million in 2020. The study asserts that emerging technologies are among the most 
important drivers of growth, as “companies are majorly focusing on R&D and investments 
in development of new technologies in order to expand the scope of perimeter security 


systems.” 


When it comes to physical perimeter security, there are several aspects to be considered, 
besides the ability to prevent intrusion. Desired aesthetics and visibility, ease of 
installation, and adequacy to the local weather and topography are just a few examples of 
important concerns. In the case of fences, for instance, installation alone can account for 
roughly 1/3 of the entire cost involved while a variety of naturally occurring threats, such 
as water intrusion, corrosion, and freezing, can significantly decrease their lifespan. 
Reducing costs and increasing reliability of perimeter security systems must remain a 
priority for companies in this industry. 


Important areas for innovation in physical perimeter security include anti-cut and anti- 
climb mechanisms, customization against specific threats, as well as the mechanical 
distribution of potential impacts as a means to increase overall strength. Producer of non- 
metallic, non-conductive, and radar-friendly fences, AMICO Security in Birmingham, 
Alabama stands out for its innovative efforts, which exemplify the kinds of initiatives that 
would likely qualify for R&D tax benefits. The company’s patent pending Amiguard system 
utilizes a proprietary continuous rail design that bolts together the entire length of the 
fence, making sure that any impact is distributed throughout the system, thereby enhancing 
strength and working as a unified curtain wall barrier. 


Innovative perimeter security solutions combine physical barriers with technology 
designed to detect and monitor intruders’ movements. Examples of such technology 
include next-generation fence-mounted sensors, infrared, and integrated fiber-optic 
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solutions. Thermal cameras, video analytics, and intrusion detection technologies, such as 
microwave, seismic sensors, and radar, are also interesting allies in physical security 


strategies. 


Fence-mounted sensing technology includes various cable-type solutions that can be 
attached directly to fence structures in order to detect attempts of cutting, climbing, or 
lifting. The most common type of data used in these cases is vibration, which requires 
varying levels of sensitivity, according to the threats at hand. Sophisticated digital 
processing systems are used to analyze the collected data, assess the existence of an actual 
menace, and identify its nature. Smart perimeter security with sensing technology has 
gained ground as a crucial element of integrated security strategies, which aim for a holistic 
approach to security. 


Examples of companies investing in this field include RBtec in Derwood, Maryland, a 
provider of the longest fiber-optic monitoring capabilities on the market, with up to 62 
miles through a single fiber-optic cable. RBtec’s RaySense illustrates the advantages of 
innovative fiber-optic solutions for long-range, total perimeter coverage. With no gaps 
between sensors, it is capable of detecting and locating within 3 meters over the entire 
perimeter and can be networked to provide unlimited reach. The system offers seven 
different levels of sensitivity that optimize performance according to the targeted 
infrastructure. Fiber-optic systems are also resistant to moisture and electromagnetic 
interference, which facilitates maintenance. 


Monitoring and Surveillance 

Another important aspect of physical security is video surveillance. In addition to 
allowing for the verification and analysis of past incidents, surveillance cameras often act as 
a deterrent to potential assailants. In a recent article published by IFSEC Global, Quantum’s 
Vice President of surveillance and security solutions Wayne Arvidson pointed out that, by 
2019, video surveillance will capture over 3.3 trillion hours daily. The article lists five 
major drivers of growth in this highly dynamic market: 


I. Video Analytics: analyzing video-based data can help identify useful patterns and 
trends. For instance, video analytics can be used for intrusion detection, going beyond 
traditional motion detection and intelligently distinguishing actual threats from 
disturbances caused by animals and weather events. When combined with advanced alarm 
systems, this kind of analytics enhances security while reducing the nuisance of false 
alarms. 


II. Intelligent Cameras: recent developments in sensor technology allow cameras to be 
used in new and exciting ways. The fast-growing adoption of intelligent cameras embedded 
with sensors will require sophisticated, multi-tiered storage strategies capable of 
supporting an unprecedented influx of data. There will also be a growing need for 
enhanced capabilities, including compression, streaming, and analytics. 
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III. Biometrics: the use of biometric data to identify people has become increasingly 
complex and in turn, increasingly valuable to many industries. The integration of 
biometrics capabilities, such as face recognition, and video surveillance is expected to 
widen the scope of potential applications of video security systems. 


IV. The Internet of Things: innovative strategies must be used to merge IoT sensor data 
with video surveillance data. The emergence of the IoT has been accompanied by an 
unprecedented surge in the number of connected devices, which are expected to reach at 
least forty billion over the next decade. The correlation of video information with input 
from such smart IoT devices can contribute to greater physical security. For instance, 
motion detectors, which are traditionally used for turning lights on and off and adjusting 
temperature, can now communicate with video and security systems in order to control for 
unauthorized movements. 


V. Video Surveillance as a Service: aggregated service models will help companies 
automate functions and optimize their resources. 


The five aspects highlighted above point to a common, underlying trend: integration. In 
fact, it is safe to say that integration is at the essence of physical security innovation, 
particularly when it comes to video surveillance and monitoring. The idea is to make the 
most of available technologies by allowing them to work together. Security control panels 
that use information from various devices, such as motion detectors, video surveillance, 
access readers, etc., are a great example of this overarching trend. 


No-camera security systems are also a promising area, due to recent improvements in 
motion-detection technology. Canadian company Cognitive Systems Corp. recently 
announced a system capable of protecting and monitoring spaces without the use of 
cameras. Arguably the first smart home security system of its kind, Aura uses patented 
technology to monitor the disruption of wireless signals caused by movement. In addition 
to differentiating human and non-human motion, it sends notifications to household 
members in case of unauthorized movements. 


A recent article in Security Sales & Integration magazine has pointed out that innovation 
in motion detection has allowed for an unprecedented level of detail, thanks to which there 
is practically instant response to intruders. This is made possible by the incorporation of 
microprocessors that “intelligently analyze the signals produced by motion to make a very 
fast but accurate alarm decision.” Advancements that simplify installation have also 
contributed to enhanced reliability, particularly when it comes to features that minimize 
installation errors, including integrated end-of-line (EOL) resistors and bubble levels, and 
lift-gate terminal strips. 


VI. Airports: One major application for such surveillance technology is airports. Although 
we have worked on airport projects throughout the country, our western Long Island office 
gives us birds-eye view of airport technology at three major airports namely Laguardia, 
Kennedy, and Newark. Improving airport technology includes airport screening, Clear's 
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biometric touchless optical scanning, enhanced communications systems and strategic 
location of fuel tank farms to minimize explosion damage. 


With respect to health-related safety measures, in July of 2020, JFK’s Terminal 4 became 
the first terminal in the United States to implement technology to monitor social distancing. 
The technology, called CrowdVision, monitors metrics like pedestrian density, operational 
resources, queue times, and more. The technology enables airport employees access to 
real-time information that can assist them in providing a safe, socially-distanced travel 
experience Conceivably, the technology can be used for other purposes, including traffic 
monitoring and airport security. 


VII. Drones: Drones are becoming mainstream physical security assets. 

A. Police Use: Often when an ongoing crime is reported in traffic congested urban areas 
the police response is invariably too late to capture the fleeing perpetrator. With immediate 
overhead drone dispatch and surveillance, the crime scene can be quickly located and 
pictures taken of the fleeing suspect. 


B. Warehouse Use: One of our clients with numerous cavernous distribution centers was 
the first U.S. purchaser of warehouse drones. Warehouse drones can inspect the top 
shelves of narrow aisle high bay warehouses and inspect for facility and product damage, 
lighting fixture obsolescence and conduct continuous inventory counting. Regular and 
accurate inventory counts are an excellent way to monitor theft and reduce stock outs. 


C. Environmental Damage: Drones with infrared capability can identify emissions and 
septic waste runoff. Before drones it was highly difficult to identify conditions requiring 
environmental remediation. Pinpointing these problems can protect both drinking water 
and marine wildlife in harbors and waterways. 


Conclusion 

Recent developments in physical security technology illustrate how innovation can 
improve the reliability and enhance the performance of security systems. R&D tax credits 
are available for innovative companies engaged in protecting people, spaces, and material 
resources. 
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Introduction 


It's possible to form images without lenses. A full color image can be formed using only a 
pinhole. Pinhole imaging has been undertaken for hundreds of years by artists and solar 
eclipse observers using the camera obscura—literally, "dark room". This is a darkened 
room (or box) with a small hole in the wall. Objects outside the room in the bright light are 
imaged on the room's opposite interior wall. The images are upside down and reversed. 


One of the intriguing things about pinhole (camera obscura) images is that they have an 
infinite "depth of field". This means that all objects in the field of view—near or far—are in 
focus, unlike photographs taken using lenses with limited depth of field. When artists and 
hobbyists display their film pinhole images, people looking at the images are often startled 
or disoriented by what they see. They are used to imaging using the human eye, which has 
a relatively narrow depth of field. 


Pinhole photography is usually done using high-sensitive film because of the small 
amount of light that comes through the pinhole. The recent availability of off-the-shelf, low- 
cost, low-light video cameras, however, makes it easy to produce camera obscura color 
videos. 


I demonstrate this in a recent YouTube video.[1] The video shows color images made 
with a Spinel 2-megapixel, HD video camera with 0.001 lux sensitivity using only a pinhole, 
no lenses. The camera costs $48 retail and runs on 5 volts. What is shown is only the raw 
video with no image processing to improve brightness, contrast, graininess, or image 
quality. Presumably more expensive low-light cameras, and those to be developed in the 
future, will allow higher-quality images. 


[Note that vendors of video cameras often talk about their "pinhole" cameras but these 
are not the camera obscura. They are merely video cameras with a small diameter lens or 


lenses. The small diameter of the lens(es) does tend to allow a good depth of field, but not 
as good as the true camera obscura.| 


*This paper was not peer reviewed. 


10 


Journal of Physical Security 14(1), 10-12 (2021) 


Security Implications 


There are 4 reasons why a true pinhole video camera might have security interest. 
Consider, for example, the surreptitious surveillance of a conference room or office 
using a covert video camera hidden in the wall. The first advantage of the true pinhole 
camera is that only a very small hole is needed in the wall for the camera to view the 
proceedings. My YouTube video demonstrates the use of a pinhole only 100 um in 
diameter.[1] That small a hole in the wall would be hard to find. 


The second advantage of using a pinhole video camera for hidden surveillance is that 
everything in the field of view is automatically in focus, including objects very close to the 
camera. 


The third advantage of a pinhole video camera for covert surveillance is that one low-tech 
method often recommended [2-4] to find a hidden video camera in a room is to turn off the 
room lights. A flashlight is then used to probe the room, looking for retro-reflections off the 
camera lens or off the imaging sensor of the camera behind the lens. With a camera 
obscura, there is, however, no such lens reflection because there is no lens. Any reflection 
off the imaging sensor behind the pinhole is very difficult to discern because the pinhole 
prevents any significant amount of light reflecting off the interior imaging sensor from 
exiting the pinhole. 


The final advantage of a pinhole camera for covert surveillance is that systems to "blind" 
video cameras using lasers have been proposed as countermeasures.[4] The laser light is 
so bright that it swamps the desired image by saturating the photo sensor. This is a more 
problematic approach with a pinhole camera. While I was able to somewhat saturate the 
image of my pinhole video camera with a 5-mW green laser, this required almost perfect 
angular alignment with the axis of the camera, something that might be difficult to do 
reliably in practice, especially in a large room. 


It might also be possible for the bad guys to recover partial video images despite laser 
saturation by using image processing on their covert video images. When coherent laser 
light passes through a pinhole, it creates circular interference rings called "Airy's Disc".[5] 
The camera pixels at the diffraction ring minima are not saturated. Also, because laser light 
is monochromatic (one color), it is possible that a usable image could be obtained by 
keeping only the red, green, or blue pixels in the color video, depending on the laser's color. 


Conclusion 


Security professionals should be aware that covert video cameras do not require lenses, 
and can operate with a very small viewing aperture as small as 100 microns (or smaller). 
Moreover, it is important to recognize that conventional detection or countermeasure 
schemes that work for covert video cameras with lenses may not work for pinhole cameras 
(cameras obscura). 
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Abstract 


This paper offers a compilation and discussion of what I believe to be best practices for 
insider threat mitigation. 


Background 


While most efforts today are focused on defending against external threats, and most 
businesses believe that “it can never happen here”, insider threats add an additional 
dimension of complexity and depth to security challenges that many businesses pay little 
more than cursory attention to mitigating. When discussing insider threats, most people 
immediately think of the IT sector. According to a 2020 IT study:, insider threat incidents 
cost businesses an average of nearly $11.5 million annually, a 31% increase over the two 
previous years. Over the same period, the number of reported insider threat events 
skyrocketed by 47% to more than 4,700. According to Grant ThorntonZ, it takes a company 
an average of 77 days to contain the damage once an insider threat incident has been 
discovered. 


However, the IT sector is only one of many areas where insider threats can have a 
negative impact on business activities. So, as striking as those figures for IT are, they 
represent only a fraction of the true losses suffered by businesses from insider threats. It 
has been estimated that between 25% and 40% of all employees steal from their employer, 
resulting in a median annual loss of $145,000 per event. Overall, the combined losses 
suffered from insider threats result in a staggering 30% of all business failures in the US 
alone. 


Cybersecurity 
Environment 


Every company, regardless of size, relies to some degree on technology for performing its 
daily operations. As advances in technology, such as Cloud Computing, Software-as-a- 
Service, and other internet-based computing models improve business efficiency, 
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companies will increasingly become reliant on technology to conduct business. Operations 
with insufficient protection measures in place continually risk the compromise of critical 
processes, equipment, and/or data from threats aiming to exploit weaknesses in software, 
operating systems and hardware. As technology rapidly evolves, the challenges facing 
businesses in the protection of their network-based assets will become increasingly more 
difficult. Thus, cybersecurity will remain a top business priority. 


Threat Detection 


Today, it’s not a question of whether an attack against a company’s computer system will 
occur, but a matter of when. Relying on detection at the edge or only protecting a single 
node is insufficient in today’s highly dynamic threat environment. Attack avenues increase 
as cloud services and multiple data devices are used and equipment are moved into and out 
of the network. In order to safeguard data, an enterprise must actively institute a 
detection-in-depth so that attackers will encounter new defenses at every turn. According 
to Joe Faulhaber4, a Senior Consultant ECG for Microsoft 


Configurations are in constant flux, hardware is being cycled, 
software is updating, workloads are moving to the cloud, and 
users are bringing devices in and out of the network. At the same 
time, random attacks are entering the system, and there is 
danger of well-funded, determined external attackers trying to 
steal valuable data from enterprises as well. Even insiders can be 
threats, and what an attack looks like can change every day. 


Thus, detection-in-depth allows the enterprise to increase the probability of detecting an 
attack, even if one of the layers of defenses has been successfully breached. Detection-in- 
depth any attack may be achieved by implementing one or more of the following detection 
methods: 


Network and Cloud Intrusion Detection that monitors all traffic into and out of the network 
or cloud for unauthorized access. These systems have three primary components: 


© Network Intrusion Detection System (NIDS) that monitors all network traffic and 
compares against a library of known attacks 

o Network Node Intrusion Detection System that monitors a single host in a manner 
similar to the NIDS 

© Host Intrusion Detection System that images an entire system’s file set and 
compares it to a previous snapshot. It alerts the administrator to any identified 
differences. 


Behavior Monitoring 

This functionality uses machine learning, advanced correlation engine, and/or 
behavioral biometrics. These methods allow for mapping of the usual threat behaviors 
such as rootkit installation, attempts for detection of the “sandbox” environment, or 


14 


Journal of Physical Security 14(1), 13-34 (2021) 


attempts to disable security controls. This functionality can be accomplished using the 
following techniques, among others: 


o Service and Infrastructure Monitoring detects unexpected service outages 
throughout the critical infrastructure 

© Network Protocol Analysis to determine the exploit method used and/or 
determine what specific data was extracted 

© Network Flow Analysis to identify high-level trends related to the protocols used 
and bandwidth usage 


Privilege Escalation Detection - The technique designed to identify when software flaws 
have been exploited in order to gain elevated access to resources that are normally 
protected from an application or user. It is critical to detect and prevent vertical and 
horizontal privilege escalation activities as these are generally a precursor to a much 
more damaging attack to be made later by an attacker. Techniques used to detect 
privilege escalation include, but are not limited to: 


© Host Intrusion Detection as previously discussed 

o File Integrity Monitoring validates the integrity of operating system and 
application software files by comparing the current file state and a known, good 
baseline. 

o Attempted Unauthorized User Access Detection 

© Monitoring SaaS Services such as Office 365 or G Suite 


Event Correlation - A technique that evaluates various occurrences to identify specific 
patterns. This is done by gathering data from the application logs or host logs and 
analyzing it to identify relationships. Event correlation can be accomplished using the 
following techniques, among others: 


o Security Incident and Event Management (SIEM) which is a packaged set of 
technologies designed to give a holistic view of a network infrastructure. 

© Malicious Host Communication Detection allows for identifying, isolating, 
quarantining or blocking potentially dangerous communications that could 
otherwise exploit your network. 

© Using a centralized dashboard that prioritizes threats based on user inputs 


Physical Security - placing access control and intrusion detection devices onto doors, 
walls, windows and ventilation ducts to computer and server rooms, data centers and 
other IT-related areas will allow for detection of unauthorized entry. Video surveillance 
cameras inside these areas and covering exterior doors to those locations will create a 
visible record of who entered, whether permissive or otherwise. 


Threat Mitigation 


Simply because a system is in place with safeguards installed does not mean the system is 
fully protected as-is from that point forward. Cybersecurity is not a “set it and forget it” 
environment. Systems that are installed are static, while threats to those systems are 
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constantly evolving. You need to continually assess whether the security solutions in place 
are still adequate for your needs and determine how to close any newly discovered 
vulnerabilities uncovered by the assessment. Only in this manner can your systems 
continue to provide the necessary safeguards against current and evolving threats. 


The basic means of cybersecurity threat mitigation include, but are certainly not limited to, 
the following: 


Risk Assessment is a pro-active, systematic process conducted to evaluate a system, 
classify the most-likely threats against a system and identify that system’s potential 
vulnerabilities. This allows an organization to calculate risk and develop a strategy or 
set of strategies designed to reduce the risk to the lowest acceptable level. 


Access Control System which secures the network by denying access to a network by non- 
compliant devices, places them in a quarantine area or restricts their access to the 
system. According to Cisco Systems, the general capabilities of a network access 
control system includes: 


Profiling and visibility to recognize and profiles users and their devices 
Guest networking access to manage guest access 

Security posture check to evaluate security-policy compliance 

Incidence response which mitigates network threats by enforcing security 
policies 

© Bidirectional integration with other security and network solutions 

© Policy lifecycle management to enforce policies for all operating scenarios 


O00 0 


Intrusion Detection System to monitor all traffic into and out of the network as discussed 
above. 


Video Surveillance System cameras to overwatch critical systems and access points into 
controlled or restricted spaces housing IT systems 


Policies and Procedures - these form the backbone of any organizational effort to reduce 
or mitigate risk. They demonstrate senior leadership support, outline the issue, define 
acceptable operating criteria and highlight everyone’s roles and responsibilities within 
the established guidance. Without policies and procedures, organizations simply “wing 
it” and will find it difficult - if not impossible - to establish the desired risk 
management, organizational behavior and operating culture. 


Automated Device Data Wiping - Employ tools that automatically sync to Active Directory 
or other domain management software to trigger automatic data wiping of exiting 
employee’s devices. This reduces the risk of the manual wiping process not being 
completed which would allow the employee to continue to access an organization's 
critical information. These accounts must still be manually audited to ensure the 
accounts were actually deleted and identify and correct system gaps when automated 
actions do not occur.® 
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Practice Basic Computer/Network Security by following simple, known protocols that 
include, but are not limited to, the following: 


Enforcing password policies, which is the most basic method to improve security but 
is also the hardest to implement. When correctly implemented, strong passwords 
are secure. However, the requirements to have strong passwords cannot end up 
placing an undue burden to the computer user. 


Install patches and software updates to eliminate identified vulnerabilities that could 
be exploited by an attacker. 


Physical Security /Critical Infrastructure Protection 


Environment 


Insider threats to physical security can come from current or former employees, 
contractors, and trusted business partners, clients and vendors. Once unauthorized 
physical access is gained into controlled or restricted spaces of an organization, the insider 
can easily transform the threat from potential to actual and the damage to an organization 
will begin. Thus, an organization’s physical security controls are equally as important as 
their IT-based security controls. Insider threats can exploit the physical security in a 
number of ways, including: 


Poor Physical Security Environment: This includes: 


insufficient guard oversight 

Poor or missing guard post orders or instructions 
Unmonitored video surveillance systems 

Insufficient or non-existent physical security system coverage 


O00 0 


Unauthorized Facility Access: This risk from unauthorized access can manifest itself in a 
number of forms, such as: 


© Employees who access facilities without permission before or after standard 
work hours 

© Unauthorized employees piggybacking through a door into a controlled or 
restricted space behind an authorized employee 

o A former employee whose access rights have not been terminated 


Physical Property Destruction: Employees breaking into secure spaces, stealing assets or 
equipment or vandalizing structures or assets 


Infiltration/Exfiltration of Physical Property: Activities such as bringing removable assets 
such as computer equipment, tools and other items either into or out of a facility 
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Custodial Staff Problems: This includes custodial staff who steal assets, documents or who 
fall victim to socially engineering scams that permit unauthorized physical access rights 


Threat Detection 


The two most important active physical security system components that can be used to 
detect an insider threat are an organization’s security personnel and its physical security 
technology: 


Security Personnel 


© Properly written post orders will provide the guidance necessary for security 
personnel to respond to any security incident or emergency. 

o Regular or unpredictable patrols of controlled or restricted areas should be 
conducted to determine whether unauthorized access has occurred and to 
respond to incidents detected by security technology. 

o Security Investigations conducted by specialist personnel with the proper 
capabilities who look for insider threat indicators so they can stop, or at least 
interrupt, an insider threat before the damage can be done. 


Security Technology 


© Access Control by designating public, controlled and restricted spaces each with 
their own levels of physical security protection measures 

o Intrusion Detection sensors and alarms to detect unauthorized entry into a 
physical location that are controlled or restricted 

o Video Surveillance provides an overwatch of all areas to detect potential threats 

o Alert and Notification alarms issued by security technology must be transmitted 
to the proper personnel for immediate assessment and response, as necessary 


Threat Mitigation 


Mitigation efforts center around minimizing the amount of damage that can be done by 
an inside threat. This is mainly accomplished through understanding the existing 
vulnerabilities, training employees to understand the damage that can be done by an 
insider while policies and procedures outline roles and responsibilities, reporting 
procedures as well as proscribed penalties for violating established protocols. These 
methods include: 


Security Risk Assessment outlines existing security conditions, identifies vulnerabilities 
and provides a list of measures designed to allow security personnel to develop a 
comprehensive strategy designed to reduce the organization’s overall risk. 

Security Awareness - training all employees through messages, emails, broadcasts and 


computer-based training sessions. Fostering a security culture that includes a high 
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degree of personal engagement can gain the buy-in of employees who will then serve as 
additional security “force multipliers” in combatting insider threats. 


Policies and Procedures are the statements of principles and process steps designed to 
allow the organization to achieve its stated security goals and objectives. These are 
designed to outline the desired end-state and effectively mold the security-related 
behavior of all organization employees. 


Workplace Violence 
Environment 


In 2017, nearly 2 million people were the victim of workplace violence in the United 
States alone. According to the National Institute for Occupational Safety and HealthZ, these 
attacks resulted in 453 fatalities and approximately 20,790 injuries in 2018. There are four 
primary categories of workplace violence: 


Criminal Intent: where the perpetrator has no connection to the organization but who’s 
sole purpose is to commit a crime. The January 2019 attack on the Suntrust Bank 
branch in Sebring, FL in which five people were killed by a gunman is an example of 
criminal intent workplace violence.® 


Dissatisfied Customer or Client: where a customer perpetrates violence directed at staff 
members of an organization (mostly in healthcare). The July 2017 physical attack on a 
healthcare worker by a patient in Layton, UT is an example of a dissatisfied customer 
workplace violence.? 


Worker-on-Worker: Violence in the form of bullying, emotional abuse, physical abuse and 
other actions that often go unreported for fear of further reprisals from the offender. 
This is often seen in supervisor-to-worker relationships. The UPS Warehouse shooting 
in San Francisco in June 2017 in which four people were killed and five others injured is 
an example of worker-on-worker workplace violence.12 


Domestic Relationship: A relative of the victim extends domestic abuse at home into the 
victim’s workplace. The woman who shot two people before fatally shooting herself at 
the Ficosa Plant in Cookeville, TN in April 2017 is an example of domestic violence 
spilling over into the workplace.+ 


Threat Detection 


In an effort to predict potential workplace violence, regular profiling and screening 
methods only work well after an event. They are not reliable indicators in predicting or 
interdicting an event.12 Instead, knowing workers well enough to understand specific, key 
behavioral indicators can be more appropriate and informative. These indicators include: 
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Changes in overall work performance (i.e., tardiness, absenteeism, increased 
error rates in work performed, etc.) 

Taking more sick days or staying away from work longer than expected after an 
illness 

Changes in social behavior to include conflict with some regular coworkers or 
the complete avoidance of others 

Neglect of personal hygiene can indicate a depressed state of mind 

Expressions of desperation or suicidal ideation 


Threat Mitigation 


Given the growing threat to business operations posed by workplace violence, mitigation 
efforts to minimize the incidence and impact of workplace violence require both 
management commitment and employee involvement. These mitigation efforts can take 
many forms, including: 


Policies and Procedures 


Policies and procedures form the backbone of any effort to mitigate risk within an 
organization. The following procedures and policies should be developed and 
implemented, at a minimum: 


Emergency Action Plan13 which contains an evacuation plan covering drills for 
Hostile Intruder and Safe Room Procedures (as applicable). 


Visitor Protocol Policy that includes access control for former employees and 
spouses. 


Domestic Violence Policy - must ensure employees know what services are 
offered by the organization. 


Workplace Violence Prevention Policy - reviewed, updated and reissued to all 
employees annually and includes a “Zero Tolerance” attitude toward workplace 
violence. 


Harassment Policy Statement which is reviewed, updated and reissued to all 
employees annually and includes a “Zero Tolerance” attitude toward harassment 
of any kind. 


Training 


Implement or update a New Employee Orientation to include training on 
Workplace Violence Policy, Procedures and Guidelines. 


Teach employees to recognize the potential warning signs of workplace violence. 
These may include, but are not limited to: 
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oO Paranoia 

© Excessive use of Substances and/or alcohol 

© Unexplained absenteeism, change in behavior or decline in work 
performance 

© Depression, withdrawal or suicidal comments 

© Resistance to changes at work or persistent complaining about unfair 
treatment 

© Violation of company policies 

© Emotional response to criticism or major mood swings 


Educate supervisors about their responsibility to thoroughly report, document 
and investigate every complaint. 


Train employees that reporting at-risk situations is their responsibility in 
emphasizing their value. 


Assessments 


Conduct a workplace assessment by visual observation by in-house or impartial 
third-party observers and issue an employee questionnaire to aid in identifying 
potential hazards. 


Review recent incidents to identify potential gaps in existing Violence Response 
Plan. 


Assess the most-recent full emergency evacuation drill, and determine if the 
organization is prepared for chemical, weather, fire, bomb or hostile intruder 
threats. 


Human Capital Development 


Personnel Background Screening 
Employee Onboarding Training 
Situational Awareness Training 
Threat Reporting Program 

Policies, Procedures and Guidelines 
HR Grievance Process 

HR Conflict Resolution Mechanisms 


Sensitive Information/Controlled Unclassified Information 


Environment 


Sensitive information is any information that, if released, could result in a loss of 
advantage over competitors. The unauthorized release of sensitive information could 
adversely affect the organization, its suppliers and customers and could negatively impact 
the welfare of its employees. Similarly, Controlled Unclassified Information is a category of 
unclassified information that require additional controls to prevent unauthorized release. 
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Primarily a government classification, this can be applied equally to business concerns for 
any information that is sensitive by nature whose release could cause injury or harm to the 
organization. Sensitive Information/Controlled Unclassified Information can include the 
following, among others: 


Trade Secrets and Intellectual Property which is data, information, business process or 
other factor that give an organization a distinct advantage over its competitors ina 
given industry. This information must be protected at all costs from unauthorized 
disclosure or compromise. 


Supplier and Customer Information which can include names, bank account numbers or 
other payment information, addresses, social security numbers and passwords among 
others. is by far the most damaging information that can be compromised. This speaks 
to an organization’s reputation, brand image and lack of capabilities. 


Financial Data such as operating expenses, payroll, sales, debts and liabilities, banking, 
and other information that, if exploited, could be devastating to an organization’s 
continued existence. 


Inventory and Operational Data consisting of any information about how the company 
operates or how much inventory the organization carries at any specific time. These 
data can be exploited by business rivals to compromise an organization’s competitive 
advantage 


Industry-Specific Information that, if compromised, can damage the organization’s standing 
as a leader in a specific industry. 


Acquisitions or New Product Plans such as non-public acquisitions, plans to expand into 
new markets or the development of new product lines which must be protected in order 
to ensure business competitors do not thwart the organization’s strategic plans. 


Employee Personally Identifiable Information including names, positions, home addresses, 
social security numbers, bank account and routing numbers, health information, 
positive and derogatory personnel information and passwords. 


Threat Detection 


Spillage of sensitive information/Controlled Unclassified Information is an issue whose 
importance has grown due to the increased use of social media, the reliance on email and 
virtual or in-person presentations, as well as the storage of huge amounts of sensitive or 
controlled data by companies. However, at present the only reasonably reliable detection 
methods include computer algorithm internet searches employing machine learning or 
direct, visual observation by a person of data spillage. The former is limited by having to 
search a very narrow category based on pre-programmed datasets, while the latter is 
limited by the human ability to read everything that is shared or posted and recognize 
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whether the information is of a sensitive nature or not. Neither of these detection methods 
are particularly effective in finding and alerting the correct people when printed data has 
been spilled, leaked or stolen. This is why it is of utmost importance to have an established, 
well-functioning mitigation program in place spot a problem that can arise before it starts. 


Threat Mitigation 


An effective sensitive information/controlled unclassified information threat mitigation 
strategy will reduce the possible risk of data being accessed and, if it is, will help minimize 
the impact of the data loss. These measures revolve around training staff (to include third- 
party contractors with access to sensitive information) how to effectively handle, transmit, 
store and destroy data appropriately. 


Sensitive Information Management Policy - this policy should include (at a minimum) the 
types of information the organization considers to be sensitive, cover sheet usage, 
passwords, transmission methods, data handling, disposal and destruction methods and 
penalties for policy violations. This policy should also include the contact person within 
the organization who is responsible for managing the in-house Sensitive Information/ 
Controlled Unclassified Information Program so that person can be contacted with 
questions or for further information, as needed. 


Training - Data breaches can occur intentional or unintentional insider actions. Often, 
inadvertent data leaks occur because employees have not received adequate training in 
handling sensitive information. By training employees on why safeguarding sensitive 
information is important and how to do it, they will understand how their actions (or 
inactions) can impact the organization. This training should use the Sensitive 
Information Management Policy as its base. 


Limit or Control Access - access to sensitive or controlled information should be restricted 
to only those personnel with a defined “need-to-know’” in order to perform their daily 
job functions. Data can be further restricted by implementing mandatory document 
passwords, encryption, or firewalls into specific network drives. An organization can 
further increase their security of sensitive information by implementing any 
combination of these three safeguard methods. 


Safe, Confidential and Confirmed Data Delivery - send data to an external location via a 
trusted delivery company, internal courier or encrypted hard drive, such as an IronKey 
or DataLocker. If sent via email, use a corporate or local virtual private network or 
secure file sharing program that encrypts the transmission until it reaches the recipient. 
If information must be sent via unsecured email, be sure the data is at least password 
protected. Send the password to the recipient in a separate email with no information 
in the subject line. Then contact the recipient to ensure they have received the 
transmission and can open the document. 


Lockable Storage Cabinets - Place the sensitive documents into a cabinet that can be 
locked which restricts access to only a few specific, approved individuals. This cabinet 
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should be placed in a secure room which further restricts access and should also be 
covered by an intrusion alarm and/or video surveillance camera. 


Use Shredders and Separate Confidential Waste Bins - if hard copies of documents are 
maintained on-site, it is important to have the means to destroy the documents at the 
appropriate time. A shredder should be the primary means of disposal and one should 
not rely on the fact that shredded material is no longer of use to business competitors 
and others seeking to access sensitive company data. Therefore, additional security can 
be obtained when using the shredder by adding the use of a confidential waste bin 
whose contents will be disposed through a third-party secure disposal service. The 
confidential waste bin can also be used independently if the disposal company is well- 
known and a sufficient level of trust exists between the organization and disposal 
company. 


Presentation Review Board - allows for review of content of presentations to ensure that 
sensitive or controlled unclassified information isn’t inadvertently leaked in 
presentations given at trade shows, conferences and other external meetings 


Remove Contractor Privileges and/or Cancel Contracts - Contractor personnel who violate 
sensitive information/controlled unclassified information policies and procedures 
should be warned and trained how to follow established procedures for a first offense. 
For repeated violations, the contractor should be barred from accessing the information 
and removed from the job site. Egregious violations should result in the loss of contract 
for the violator’s employer. 


Food Security 


Environment 


Food defense is the pro-active protection of food against the intentional, malicious 
introduction of contaminants with the aim of causing widespread harm to public health. 
Despite a long history of attacks on food sources that goes back several millennia, only in 
the last decade has increased strategic attention been devoted to the protection of food at 
the production and preparation locations. There are multiple establishments in the food 
production system, including firms that produce, process, store, repack, relabel, distribute, 
or transport food or food ingredients, each of which impose a potential new set of 
vulnerability points in the process. Perhaps the most insidious threat in any of these links 
is the insider threat. 


According to the American Society for Industrial Security (ASIS) International: 
A failure to properly recognize the broader scope of insider 
threats could pose a significant risk to an organization’s brand. A 


single incident could prove harmful enough to put a company out 
of business.14 
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There is a particularly unique and very severe impact to the organization’s brand, as well 
as to the public in general, when the insider threatens the security of food. The definition of 
the types of insider threats to foodstuffs depend upon where in the production and 
distribution chain the attack occurs and the toxicity of the substance inserted into the food. 
There are three primary avenues in which an insider can threaten the security of food 
products: 


Sabotage is the deliberate actions of individuals to degrade the quality of food as it is 
being produced or prepared. The January 2014 case of the Pizza Hut manager who spit 
into the food of a police officer who previously arrested her is an example of an insider 
sabotaging food.15 


Adulteration is the deliberate placing of foreign items into food by individuals with the 
intent to injure or cause illness in anyone who consumes it. The former strawberry 
farm supervisor in Queensland, Australia who placed sewing needles into strawberries 
in September 2018, thereby forcing a nationwide recall of the items is an example of an 
insider adulterating food items.1° 


Poisoning is the placing toxic items into a food product to cause illness or death to those 
who consume it. The disgruntled former employee of the Byron Center Family Fare 
Supermarket in Byron Center, MI who poisoned 200 pounds of ground beef in 2003 is 
an example of an insider poisoning food items.12 


Threat Detection 


It is of paramount importance that organizations involved (even tangentially) with food 
systems be on-guard against potential threats at all stages of production and distribution. 
This not only protects against the quality and availability of food but also protects the 
general public against threats to their overall health. Threat detection can take numerous 
forms, of which four are discussed briefly below: 


Employee Background Screening - Submitting potential employees to criminal background 
and credit checks can identify potential “red flags” candidates who apply for positions 
that allow access to critical assets or vulnerable processes within an organization. Given 
that everyone’s personal circumstances change over time, updated checks should be 
conducted on existing employees every 18 to 36 months. 


Disruptive Behavior Reporting and Management System - Establishing this type of system 
will allow the organization to document, track and thoroughly investigate any reports, 
establish patterns of negative behavior and establish correlations between reported 
issues and events. 


Internal Information Sharing - working with union representatives and human resources 


to overcome obstacles to information-sharing with security personnel will allow for 
pro-active identification of issues and implementation of mitigation measures 
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Grievance Management - Establishing an effective mechanism to air and redress 
grievances can aid in uncovering potential threats, particularly when an organization's 
HR team works in close cooperation with security personnel. An effective grievance 
management process can also ensure that problems can be resolved before they 
escalate into a potential situation that negatively impacts workers and the organization. 


Threat Mitigation 


Activities related to food defense threat mitigation center around three primary 
components: 


Food Defense Plan - the food defense plan is a set of written documents based on sound 
food defense principles. While there is no established format for the food defense plan, 
it should incorporate (at a minimum) the following components: 


Food Defense Monitoring - according to the US Food and Substance Administration, 
food defense monitoring is the sequence of observations or measurements 
conducted to assess whether mitigation strategies are operating as intended. 


Food Defense Verification - the application of methods, procedures, and other 
evaluations, in addition to food defense monitoring, to determine whether a 
mitigation strategy (or combination of mitigation strategies) is or has been 
operating as intended according to the food defense plan. 


Food Access Control - methods implemented to restrict physical access to food 
products as well as network access to manufacturing devices throughout the entire 
production process 


Food Storage Intrusion Detection - methods that determine whether physical or 
computer access has been gained by unauthorized personnel during the production 
process. 


Food Defense Corrective Actions - a set of actions to be taken if the mitigation 
measures implemented as part of the food defense plan are found to be insufficient. 


Vulnerability Assessment — identifies significant vulnerabilities and actionable process 
steps that results in a set of mitigation measures that form the overall strategy to reduce 
risk. Assessment methods include, but are not limited to, the following: 


Four Key Activity Types Method 


» Bulk liquid receiving and loading 
» Liquid storage and handling 
» Secondary ingredient handling 
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» Mixing and similar activities 


Three Fundamental Elements Method 


« Potential public health impact 
» Degree of physical access to the product 
« Ability of an attacker to successfully contaminate the product 


Hybrid Approach Method that combines the previous two methods 


CARVER + SHOCK?® - This methodology was created by the military and is applied 
primarily to the agriculture and food production sectors. CARVER stands for 
Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. 
SHOCK is the combined assessment of the health, psychological, and collateral 
national-level economic impacts of a successful attack on the target system. 


Facility-wide Security Measures — the general security measures taken to protect personnel, 
product, the facility and its associated machinery and utilities 


Physical Security - as previously discussed above 


Cyber Security - as previously discussed above 


Substance Abuse 


Environment 


Substance abuse is the overuse of, or dependence upon, addictive substances. Most often, 
these substances are drugs, alcohol, or both. The losses estimated to substance abuse is 
simply astonishing: $81 billion in lost profits annually, while an additional $25 to $53 
billion in lost productivity is due to opioid abuse alone.2° Besides the hammering of the 
bottom line, the problems substance abuse can present to an organization can be further 
summarized as: 


Substance use and abuse are potential precursors to insider 
threat. They could lead to concerning behaviors and both 
criminal and non-criminal acts against an organization. Insider 
incidents may include theft of intellectual property, sabotage, 
espionage, fraud, workplace violence, and non-malicious, 
accidental incidents. In these instances, insiders may commit 
malicious acts in order to procure money to support their habits 
or addictions or, due to the effects of the substances on their 
behavior, may commit acts of workplace violence. Substance use 
and abuse may also impact an insider's cognitive abilities, 
leading to unintentional insider threats. These unintentional acts 
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might include being more likely to click on phishing emails or 
misplace company equipment.21 


There are a number of avenues in which substance abuse can negatively impact a 
business and its operations. A few, but not all, are listed below: 


Poor Decision-Making (negligence) which can possibly lead to either the unintentional, 
non-malicious compromise of an organization’s data or the willful exposure of the data 
to external actors exploiting the Substance user’s vulnerability. 


Theft of Assets or Data from an organization in order to sell to support the abuser’s 
dependency 


Increased Likelihood of Trouble with coworkers or supervisors, which could potentially 
develop into a workplace violence situation. 


Potential Exploitation of the worker’s known substance abuse by an external actor in 
order to gain access to an organization’s systems, processes or data. 


Threat Detection 


Substance abuse can lead to other insider risks as described in this paper. Rather than let 
the situation spiral out of control to a point where you will be liable for injury, damages, 
and losses for failing to act, itis best to adopt a pro-active approach. This approach must be 
performed within an environment that does not present itself as being overtly hostile to the 
employee, which could trigger a negative response or reaction. Two primary methods that 
can be employed to detect substance abuse in the workplace are: 


Direct Observation of behavior by supervisors and coworkers can give rise to suspicions 
of substance abuse: 


© Observe an employee’s actions and behaviors for indications of impairment 

Document the employee’s behavior, signs, and symptoms for reference 

© Employ “Reasonable Suspicion Testing” to determine that substance abuse is 
not the cause of an employee’s suspicious behavior or appearance. 


oO 


Potentially Disruptive Behavior Monitoring: 


© Badge records for tardiness 

© Web searches related to alleviating the effects of withdrawal and procuring 
substances 

© Within the bounds of legal permissibility, gather information about past 
arrests and financial stressors potentially resulting from substance abuse 

© Gather information from HR that could provide recent information on 
disciplinary actions, security violations and substance abuse test results (the 
latter, if permitted) 
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Threat Mitigation 


The biggest case that can be made for mitigating substance abuse in the workplace, aside 
from the company’s bottom line, is the potential improvement in the quality of life for the 
affected employee (and that person’s coworkers), which will most likely translate into a 
lessened risk of workplace violence and a reduction in threat of theft and other criminal 
activities. So, the question is how to mitigate this threat? 


Employee Education and Awareness - This is a recurring theme throughout all aspects of 
threat identification. Employees should be taught to how identify suspicious behavior 
and to report it to supervisors or through alternative channels. 


Mandatory, Scheduled Substance Testing for positions of moderate- to high-risk 


Employee Assistance Programs designed to establish a recovery-friendly workplace in 
which the employee can seek and receive assistance without fear of official, codified 
punitive action by the organization. 


Criminal Activity 


Environment 


Whether its “white collar” or “blue collar”, crimes against persons or property, felonies or 
misdemeanors, criminal activity in the workplace is a real, tangible, and everyday problem. 
Some types of insider threat criminal activity in the workplace that will be discussed here 
consists of fraud, embezzlement, theft/larceny and many other activities. It is estimated 
that $60 billion is lost each year to employee theft alone.22 


Theft is by far the most common cause of losses suffered by employers and can consist 
of: 


Cash theft which can result from pilfering petty cash up to the various forms of 
embezzlement by employees who handle cash, checks, or credit cards. 


Inventory theft using garbage bins, recycling system, personal bags or other means 
to sneak out business goods. In retail, the return and refund process yields many 
chances to steal from the company with or without the help of a third party. 


Credit card/personal identifiable information theft where employees, particularly in 


retail sales, steal the data of customers and their credit cards. 


Theft of office supplies for personal or home use 


Theft from customers results range from undercounting change that is then diverted 
into the pocket of the thief to actually stealing customer personal property. 
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Theft of payroll resulting in payment for unearned time and reimbursement for non- 
existent business expenses. This can be the result of other factors already listed, 
such as substance abuse. 


Fraud is much more prevalent in small firms (i.e., those with under 100 employees) than 
larger ones.22: Types of fraud can include: 


Asset Misappropriation 
Vendor fraud 
Accounting fraud 

Data theft 

Bribery 

Payroll Fraud 


OoO000 0 0 


Threat Detection 


You trust employees with the keys to your business. Sometimes, that trust is betrayed for 
one reason or another. Methods than can detect that betrayal and uncover employee 
criminal activity is surprisingly simple, provided you are paying attention. Such detection 
methods can include, ata minimum: 


Direct Observation which can often lead to the discovery of employee criminal activity in 
the workplace. This can include noticing an employee living well beyond his or her 
means (a possible indicator of fraud), frequent tips or complaints about an employee, or 
even event correlation of an employee being a constant in time and place of criminal 
activity 


Execute Inventory Control and Audits in an impromptu manner using a third-party for 
objectivity. This auditing firm must have a direct reporting line to senior executives and 
key decision-makers. This include using an outside accountant to examine key financial 
records: bank records, ledgers and checks. Conduct inventory audits to ensure 
irregularities or losses are discovered and thoroughly investigated. 


Establish a Trash Removal Routine that includes breaking down and flattening of all boxes, 
using clear trash bags and ensuring one-way access for employees to trash dumpsters 
or compactors. Cover trash dumpsters with video surveillance system cameras. 
Conduct and Document Thorough Investigations of all employee theft reports. The 


importance of this method cannot be stressed enough. 


Threat Mitigation 


Therefore, mitigating criminal activity in the workplace isn’t simply a good idea, it’s an 
absolute requirement. 
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Establish the proper kind of company culture where employees are engaged and are 
permitted to report security violations. If employees see a culture in which criminal 
activities are permitted, then crime will flourish. Creating the proper culture starts 
with, but is definitely not limited to, the following: 

° Provide clear policies that ensure all employees know there will be strict 
consequences for anyone who commits a crime. Having employees sign the 
policy annually both impresses upon them the importance the company attaches 
to the policy and also reinforces in their minds exactly what will happen if they 
choose to steal from the company. 


° Create a confidential employee tip line to allow loyal employees to report their 


concerns. Follow up on each report 


Mandatory employee and contractor background checks to include past 
employers. Contact all professional references and ask why they left the job. 


Conduct criminal history checks and do not gloss over any “red flags” that 
appear. 


Employee Situational Awareness Training where everyone is reminded to lock up 
their vehicles, valuables, and personal effects while in the office and to practice 


personal safety and security measures at all times. 


Use a Security Management System that allows for reporting and tracking security 
incidents, managing risks, monitoring the status of security equipment and identify 
gaps in equipment coverage. 


Put in and Monitor a Video Surveillance System to discourage negative behavior before it 
happens and record risky behavior as it happens. 


Install Access Control Systems to allow access to employees based on work schedule while 


simultaneously prohibiting unauthorized access. 


Set up Intrusion Detection Systems on doors to controlled or restricted spaces to alert 
security personnel of unauthorized entry. 


Conclusion 


An insider is someone within an organization who has access to critical data, assets, 
information and even personnel. The threat arises when someone with privileged access 
negligently or willfully violates the trust an organization has placed in them, whether by 
themselves or in concert with an outsider. T hese insider threats can come in many forms, 
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and can include cyber and physical security threats, workplace violence, sensitive 
information breaches, food security violations, substance abuse and criminal activity to 
name just a few. 


Detection methods vary based on the threat, but generally revolved around a few core 
concepts. These include direct observation and monitoring of employees, data, and assets. 
In addition, installing and monitoring physical security systems designed to detect 
unauthorized access or record malicious acts aids in detection by allowing more 
comprehensive coverage of a facility than simple observation alone. In essence, physical 
security equipment is a true “force multiplier” when detecting potential or actual threats. 


Not even the most comprehensive detection program will identify all insider threats in 
time to raise an alarm before the damage has begun. Insider threats cost companies 
billions in lost profit, damages, lost productivity, assets, and lost reputation, not to mention 
the loss of employees either through violence or fear. Establishing the proper corporate 
culture by developing proper policies and procedures, training employees through security 
awareness campaigns, and applying these measures wholesale to employees, customers, 
visitors, contractors and vendors will assist the organization in detecting an insider threat 
in time to intervene or stop an attack. Therefore, organizations must make it a top priority 
to mitigate the impact and duration of any incident that may arise as a result of an insider. 


However, such programs must have the continuous backing and support of senior 
management and key decision-makers within an organization. These programs cannot be 
created and then sit on a shelf collecting dust until a threat has made itself known. The 
threat is dynamic, ever-present, and will continue to be so. As such, it requires constant 
vigilance on the part of an organization to make this work. One moment of weakness or 
inattention is all it takes for disaster to strike. 
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Want Seals With That? 
Fast Food, Covid, and Tamper Detection* 


Roger G. Johnston, Ph.D., CPP 
Right Brain Sekurity 
https: //rbsekurity.com 


Apparently due to the COVID-19 pandemic, many fast food restaurants now hand you 
your order in a paper bag sealed with a pressure-sensitive adhesive (PSA) label seal. The 
way they are typically used for various security purposes, PSA seals do not provide reliable 
tamper detection, though this does not necessarily have to be the case if they are used ina 
more time-intensive manner with an understanding of their vulnerabilities and attack 
scenarios.[1-3] 


PSA seals are often easy to lift and reuse without leaving any discernible evidence, 
particularly in the first 24-48 hours before the adhesive has achieved full adhesion. Putting 
a sticky seal on a flexible, greasy fast-food paper bag is especially dubious, though the 
particular fast-food chain used for this study is not very greasy, nor were the bags 
containing my food orders. 


I did a series of informal experiments with 5 drive-up window food orders from two local 
franchises of the same popular national fast-food chain. Three minutes after the purchase 
while in my car, I found that it was easy to remove the bag's PSA seal in 10 to 15 seconds 
(presumably less with practice or tools), open the bag, then satisfactorily reseal the bag 
with no discernible evidence that the bag had been opened. No special skills, tools, or 
solvents were needed, just a bit of careful effort. 


It was also quick and easy to pry apart the bottom of the bag (where there was no seal 
just an adhesive). I was then able to use a household adhesive to re-glue the bottom of the 
bag. Again, no special skills, solvents, or tools were required, and there was no obvious 
visual evidence of the attack. Unlike the PSA seal at the top of the bag, the adhesive used on 
the bottom of the bag had presumably been present for weeks to months, allowing ample 
time for the adhesive to fully set. 


This informal experiment is not a substitute for a rigorous vulnerability assessment. 
Nevertheless, in terms of tamper-detection, the seal seems likely to be Security Theater. 
There may, however, be other appropriate uses for the seal that aren't directly related to 
tamper detection. 


*This paper was not peer reviewed. 
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The following are some possible purposes for the seal that I could think of, including non- 
security purposes: 

1. Reassure the customer during the pandemic. 

2. Detect tampering with the order inside the restaurant. 

3. Detect tampering with the order by any delivery driver. 

4. Use as a "flag" (non-security) seal to indicate to restaurant workers that the order is 
complete so as to avoid unnecessary additional handling. 

5. Authenticate the order as a legitimate order, i.e., the seal would be more like a tag. 

6. Remind restaurant employees to follow good anti-COVID procedures. 

7. Some other kind of safety or health function? 

8. Literally, a seal to be sure the bag is well closed. 

9. For advertising purposes, given that the seal contains the company logo; or perhaps 
for otherwise making a connection with the customer. 

10. Provide a flap to hold the drinking straw. 

11. Other? 


I emailed a senior public relations official with the company, and sent a letter to the CEO, 
inquiring about which purpose(s) in the above list were their intent. Perhaps 
unsurprisingly, I receive no answer. 


Possible partial countermeasures for the vulnerabilities with the PSA seal might include 
briefly applying heat to the seal to improve adhesion, using a more aggressive adhesive, 
using a frangible seal, or choosing a different bag material. Stapling the top of the bag 
through the seal using a digestible staple/rivet might also provide better tamper detection. 


Possible partial countermeasures for the bottom of the bag might include using a more 
aggressive adhesive, or using a bag made of heat- or ultrasonically-sealed Mylar or other 
material that would not require an adhesive to seal the seams. This might be harder to 
cosmetically repair after an attack. 


Another approach that could potentially improve tamper detection is to print a highly 
visible notice on the bag (not the seal!) to encourage customers and employees to visually 


check the bag and the seal's presence/appearance to look for evidence of tampering. This, 
of course, would involve explicitly admitting that the seal has a security purpose. 


References 


1. RG Johnston, “Poor Practice Using Pressure-Sensitive Adhesive Seals”, Journal of Physical 


Security 12(2), 18-28 (2019), https://jps.rbsekurity.com 


2. RG Johnston and JS Warner, “How to Choose and Use Seals”, Army Sustainment 44(4), 
54-58 (2012), http://www.almc.army.mil/alog/issues/JulAug12/browse.html 


3. RG Johnston, “Tamper-Indicating Seals”, American Scientist 94(6), 515-523 (2005) 


36 


Journal of Physical Security 14(1), 37-52 (2021) 


Suggested Procedures for Physical Protection 
and Security Improvement for Category II Sealed Radioactive Sources 


M. H. Nassef 


Faculty of Engineering, Nuclear Engineering Dept., King Abdul-Aziz University, 
P.O. Box 80204, 21589, Jeddah, Saudi Arabia, Tel: +508871229; Fax:+6952648 
On leave from Nuclear and Radiological Regulatory Authority, (NRRA), 
P.O. Box 11762, Cairo, Egypt, mnassef@yahoo.com 


Abstract 


Iridium 192 (197Ir) radiological sealed sources are commonly used in industry. They 
represent an intermediate-risk level, i.e. Category 2 sources with an A/D value <1000 
where A is the activity and D is the danger. Based on the information available in the 
literature for worldwide industrial radiological accidents between 1945 and 2018, I 
selected the accidents involving 197Ir-sealed sources to help understand the regulations 
and awareness of 1!%7Ir security and safety measures, including physical protection 
measures deployed for 197Ir sealed sources. I present the results of my survey using 
statistics and figures. This paper suggests in detail a practical procedure for security, 
safety, and deployment of physical protection systems that may be applicable to !%Ir 
storage or use facility, as identified by IAEA document TEC DOC-1344. 


Keywords: Industrial radiography Security System; physical protection system; 
radiation safety; iridium 192 


1. Introduction 


The security of radioactive sources has become an increasing concern for the 
International Atomic Energy Agency (IAEA) and member states. The events of 9/11 
pushed the political agenda towards improving the safety and security of radioactive 
sources. Radioactive sources must be secured from removal, unauthorized use, or 


sabotage. Safe and secure handling of radiological sources will decrease the risk of harm 
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to users and the public. If radioactive sources are not carefully controlled and monitored, 
they can produce serious deterministic (non-stochastic) health effects on individuals. 
Such deterministic health effects depend on the radiation exposure time, the type of 
radiation, and the absorbed dose [1-5]. There are 2 types of medical injury from 
radiation: acute radiation sickness and chronic radiation sickness. There is a threshold 
of doses below which harmful effects do not occur, though this may vary from person to 


person. 


Physical security for radiological sources includes protecting, monitoring, and 
controlling the sites, buildings, and rooms that contain radioactive sources. The IAEA has 
made efforts to help member states, such as developing a code of conduct to protect the 
radioactive sources and materials from being sabotaged or stolen. In the past, some 
international agreements have focused on certain dangerous radioactive source that can 
be used to improvise a radioactive radiological dispersal device (RDD). Fortunately, 
sealed radiological sources cannot generally be used to make a nuclear bomb. 
Nevertheless, high-intensity radioactive sources represent a significant risk for persons 
in contact with them or when they are used in an irresponsible, unregulated, or 


unauthorized manner. 


The risk of RDDs is that terrorists might turn radiological sources into "dirty bombs". 
Conventional explosives can be used to scatter radioactive materials to create hazardous 
radioactive contamination. The numbers of deaths may well be small from an RDD, but 
the resultant radioactive contamination could cause serious disruption and public panic. 
Moreover, decontaminating a public area would be an expensive and lengthy process. [1, 


2, 6-14]. 


In 2002, highlighting the concerns about RDDs, the chairman of the Nuclear Regulatory 
Commission (NRC) and the head of the U. S. Department of Energy (DOE) met to discuss 
further protection for the physical inventories of all types of radioactive materials that 
could potentially be used in an RDD device. They agreed to involve other agencies.[15]| 
There is also increasing attention from international organizations such as IAEA and the 
United Nations Security Council towards efforts to prevent illicit trafficking of nuclear 


and radioactive sources.[10, 16-18] 
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The database from the IAEA can be used as a point of reference for roughly calculating 
the effect of terrorist violence against persons. As an example, 33 years ago in Goiania, 
Brazil, a security/safety radiological accident occurred that could be considered a 
warning of what could happen if terrorists seek to build RDDs.[19] The IAEA database 
for the illicit trafficking incidents involving both safety and security incidents continues 


to grow. 


In this paper, I focus on the security of Iridium 192 (1°4Ir) sealed radiological sources 
because they are widely used. They represent an intermediate-risk level, i.e. Category 2 
source with an A/D value <1000 where A is the activity and D is the danger. I proposea 
work plan for improving physical security, including physical protection measures, that 
can be applied to any storage facility with 1°*Ir radioactive sealed sources. These 
suggestions may have applicability as well to the security and safety of other kinds of 
radiological material. Perhaps this paper can also increase the awareness of radiological 


risks and encourage improved Security and Safety Cultures. 


2. Methodology 


2.1 Security, regulations and worldwide !97Ir sealed sources accidents 


2.1.1 Radioactive source regulation: an overview 

The national nuclear authority ("regulatory body") in any nation state must be an 
independent scientific organization based on nuclear law and the regulations of that state 
to avoid real or perceived conflicts of interest. The regulatory body needs to set security 
and safety standards and their enforcement, audit and inspect the radiological 
procedures, and communicate safety issues to the public. The regulatory body also deals 
with all issues concerning the radioactive sealed sources, nuclear materials 
accountability, and the physical protection of nuclear materials and radioactive sources, 
as well as the storage, handling, disposing, and transporting radiological materials.[20- 


21] 


2.1.2 Physical security level based on IAEA categorization of radioactive sources 
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Based on the 2004 IAEA Code of Conduct, every State is obligated take the correct 
actions to assure the safety and security of radiological sources. In the case of security, 
we need to specify the security level for any radiological source based on its IAEA 
categorization. We need to assign the correct security level to the category in which the 
source belongs.[22-23] Table 1 shows the IAEA categorization system for 1%Ir industrial 


radiography sealed sources. 


Table 1. IAEA Categorization System and Security Level Assignment [24]. 


IAEA Category Categorization of Common Activity Ratio Security Level 
Practice 
2 Industrial gamma sources 1000>A/D210 B 


Based on the IAEA categorization system, radioactive sealed sources are arranged into 
5 categories. Category 2 could produce permanent injury to the user who handles the 


source or is in contact with it for a short time (minutes to hours) as shown in Table 2. 


Table 2. IAEA categorization for industrial radiography sources. [25] 


Category 2 Risk Dispersal Scenarios 
Very dangerous | Could create permanent injury | few risks occur to the health of the 
to the user to a user in case of handling user beyond a few hundred meters 
away 


2.1.3 Defense in-depth strategy to prevent loss of radioactive sources 

The concept of defense-in-depth or so-called "layered security", despite some pointed 
criticism [26], is conventionally viewed as an effective tool for lowering security risk. To 
protect any radioactive sources from an adversary, all basic security measures such as 
detection, deterrence, delay, and response should be constructed first to help counter 


adversaries intent on sabotage or theft. 


There are a variety of barriers than can be used to help implement a defense-in-depth 
strategy. For example, warning signs can be posted that alert or warn off persons 
travelling through any boundaries or sensitive areas. These can include signs, painted 
lines, fences, lighting, and chains. Another tool of defense is an intrusion detection system 
that can monitor and control an intruder outside the facility such as cameras (CCTV), 


access control systems, and effective intrusion detection systems (second barrier). A 
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third possible type of barrier are physical barriers such as walls or fences. These can 
delay, discourage, or (sometimes) prevent intruders from entering the facility. Other 
security layers such as doors, windows, and containers in the facility represent a physical 
barrier. A fourth type of barrier is intended to control and inspect persons engaged in 


exiting the facility.[27-30] 


2.1.4 International accidents due to poor regulations, and weakens of physical security 
system 

From the literature, statistical data indicate that industrial radiography accidents 
represent about 48% of the total radiological worldwide industrial radiography 
accidents 1945 to 2012.[31-44] From the references [31-44], I extracted only the 
accidents due to !97Ir sealed sources that were reported and confirmed by the relevant 
state. For each accident, I extracted information such as the country in which the accident 
happened, the year of the accident, and the number of injuries or deaths during each 


accident. My results are presented in the figures below. 


3. Results and Discussion 


Now it must be said that radiological safety incidents are quite a different phenomenon 
from radiological security incidents. Safety has no deliberate, malicious, intelligent 
adversary as is the case for security. Examining safety incidents may, nevertheless, have 
relevance to security because we might hypothesize that organizations experiencing 
safety incidents may have an increased risk of security incidents. For example, a weak 
Safety Culture probably is correlated with a weak Security Culture. While I am unaware 
of any research to support or question this hypothesis, it does seem a reasonable 
hypothesis to make. There is another reason why it may be prudent to examine safety 
incidents in order to understand security issues: radiological safety incidents are much 


more common than security incidents and thus may be useful for our understanding. 


Following this reasoning, I conducted a survey concerning 1%Ir accidents between the 
years 1945 and 2018. This includes a total number of 108 accidents (67 accidents from 
1945 to 2012, and 41 accidents from 2013 to 2018). The total number of worldwide 


injuries due to industrial radiography accidents was 92, with 3 deaths from 1945 to 2012. 
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Figure 1 shows the number of !97Ir industrial radiography sealed sources accidents 
worldwide between 1945 and 2013. Figure 2 presents the corresponding accidents from 
2013 to 2018. From figure 1, it is clear that the majority of accidents occurred in Russia, 
with a percentage of 31.5% of the total accidents. Figure 2 shows the USA had the highest 
percentage of industrial radiography accidents with 21.3% of the total accidents. The 
primary reason for those accidents, I believe, was the lack of effective regulations and 
awareness of safety and security issues when using category 2 industrial radiography 
sources. Some accidents involved equipment failure, while others involved improper 


storage conditions for this type of category of radiological material. 


= USSR (Russia) 
Worldwide !°7Ir accidents between 1945 and 2012 ee 
a#USA 

= France 

= Argentina 


NX , eee 


= East Germany 
= = Egypt 
= Indonesia 


C7 
= South Africa 


Figure 1. Industrial radiological accidents involving 19*Ir worldwide during the years 
1945-2012. 


= Republic of Korea 
= Hungary 

= Brazil 

= Switzerland 

= Chile 


Worldwide !%? Ir accidents between 2013 and 2018 meh 
= Mexico 


= Canada 


\\\ = Argentina 
N = Colombia 
— = China 
= Vietnam 
= Poland 


= lraq 


= tran 
= Malaysia 


Figure 2. Industrial radiological accidents involving !9*Ir worldwide during the years 
2013-2018. 
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3.1 Technical requirements for on-site storage location for safety purpose 


Summarizing international regulations for the safety and security of industrial 
radioactive sources, 19*Ir storage facility (room) must meet the following requirements 
[45-46]: 

a. Its design, construction and the licensee process must be approved by the national 
regulatory body. 

b. The room must be in an isolated area, separate occupied areas and relatively far from 
any human activities. 

c. Transportation of sources should be undertaken in accordance with ALARA principles 
(As Low As Reasonably Achievable). 

d. The room should have low visibility from outside, and possess sufficient but not 
excessive entry access for external emergency services such as police, fire, and medical 
first responders. 

e. The room should be able to resist or minimize damage from any weather or geological 
event, including storms, earthquakes, and flooding. 

f. The room should have a smooth, impervious, and easily washable floor. 

g. The room needs to be equipped with reasonable vacuum ventilation suction inside to 
prevent the build-up of any expected gasses or vapors from radioactive material, and 
must be provided with adequate illumination. 

h. The dose rate in the storage room shall be less than 7.5uSv/h and not exceed 10uSv/h; 
the entrance to the storage room shall be less than 2.5uSv/h; and the dose rate in areas 
available to the public shall not exceed 1mSv/y. [47] 

i. A radiation hazard sign should be present at the entrance to the storage room. It 


should include the wording "radioactive sources". 


3.2 The author's suggestions for safety and security measures for radiological storage 
facilities 
3.2.1 Option 1: Author's suggested site preparation for an occupied storage area 

In planning a radiological storage area, the following steps are prudent: 
a)-Selection of the best place to store the industrial radiography source should be based 
on the occupation factor and local safety considerations. 


b)-A radiation survey level should be done for the selected site location. 
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c)-The entrance door should be examined for any security vulnerabilities and possible 
failure modes. I suggest the door should be constructed of metal rather than wood, and 
possess a suitably secure lock. Suchadoor helps to secure the storage room from attack, 
sabotage, or any weathering effects, and minimizes damage from fire. The door 
represents a delay barrier for any unauthorized intruder, and should be designed or 
chosen with this in mind. 

d)-An inventory list should be prepared. IAEA guidelines[5] require the inventory list 
include the following information: Type of radionuclide, physical and chemical form, 
source activity, date of inventory, the name of the operator (user), and the name of the 
Radiation Safety Officer (RSO) for the storage facility. 

e)-Ideally, a special security container constructed for storing the sealed 
radiography sources should be used. A warning radiation sign with the wording 
"radioactive sources" must be posted on this container so that the sealed source(s) 

can be readily recognized. The suggested specification for this metal container (or 


cabinet) is discussed in detail in section 3.2.2 below 


3.2.2 Option 2: Suggested site preparation steps for storage locations in isolated areas 

In my view, the best option for storage in isolated areas is to build a pit for storing the 
sealed radiography source(s). The dimension of the storage room should not be less than 
3mx3m, housing equipped with a vertical steel tube (pit) of 1m diameter and about 1m 
long at the center of the room, including a Mild Steel (MS) cover and locking hardware. | 
suggest constructing a security fence around the pit or around the main storage room 
that houses the source(s). For good safety, it is desirable to construct a fence at a safe 
distance such that the dose rate does not exceed 25 uSv/hr outside the fence, ideally 
substantially less. The pit should be made from waterproof materials.[47] I further 
suggest an extra metal security container such as a cabinet. This metallic container will 
contribute to the concept of defense-in-depth, and complicate the unauthorized access or 
removal of the source(s), or at least delay adversaries. A metal storage cabinet shielded 
with lead is preferred for storing the source(s). I suggest dimensions of at least 
0.5x0.5x0.5m. This storage cabinet should be constructed of strong, fire-resistant metal, 
and include a lead sheet of approximately 2 mm thickness as a radiation shield for safety 
purposes. The cabinet must include a secure lock and optionally other access control 


measures. The cover of the proposed cabinet should have two sliding doors with a 
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suggested dimension of 0.40x0.5m. The key, combination, or PIN for the security cabinet 


should be keep under the supervision of the Radiation Safety Officer (RSO). 


3.3 Radiation protection considerations and safety management during work 

International conferences were held on the security of radioactive sources, in Vienna 
during 2003, 2013, and 2018. The main consequence of those conferences was rising 
concern for the safe and secure control of radioactive sources, and of the need to 
identify those sources that represent the greatest radiation risk.[48-52| 

A consensus was reached that every person participating in the storage process should 
be exposed only to an acceptable radiation level. The dose constraints for this 
radiological work need to follow the international recommended safe limit of 10uSv/h. 
A personal monitoring dosimeter (such as a thermoluminescent or TLD badge) should be 
distribute to everyone who participates in this work.[53-54] The dose rates outside the 
security room, such as _ in corridors, should be within the background levels of 0.08- 


0.1pSv/h. 


3.4 Workshop and training in the field of nuclear security 


To meet the awareness and training needs in the field of physical security, I believe the 
RSO’s at the facility should periodically present a security management workshop for all 
operators and radiation workers. Typically, such a workshop covers all radiation 
protection rules, regulations, safety, and physical security concepts in order to update 
participants’ theoretical and practical knowledge, as well as their safety and security 
skills. For category 2 sources, the suggested workshop program should consist of some 
theoretical lectures, open discussions, and practical implementation exercises for 


category 2, security level B radioactive sealed sources. 


3.5 The author's suggested procedures to improve the physical security for industrial 
sealed radiological sources 


Increasing the effectiveness of the physical protection and security measures for 
industrial gamma radiological material reduces the risk from radiological terrorism.[16] 
The first step is to define the security level for the sealed radioactive source based on the 


hazard effects that the source could produce. 
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3.5.1 Physical Access control 

It is essential (where practical) to establish and use a continuous physical barrier 
(perimeter protection) having a single nominal access point to control access to the 
security zone. A room or a laboratory may be adequate for that purpose, provided its 
location is far from any public entrance or elevator area. It is also critical to factor in 
safety and ALARA issues when moving from low to high radiation areas, i.e., the best place 
for storing the radioactive source must be considered in this stage. The entrance to the 
storage room must control and limit access to authorized users. A two-man-rule should 
be considered when dealing with the access control for the source(s), such as only 
allowing a two-person team to access physical keys, passwords, or PINs granting access 
to radiologically controlled areas. The tools and equipment needed for handling the 


source(s) should be in the controlled area, but stored away from the source. 


3.5.2 Detection 

The concept of detection is one of the important tools for physical protection. I suggest 
installing a constant surveillance video cameras at the storage site, e.g., Closed-Circuit 
Television (CCTV) surveillance cameras at specific locations to monitor activities and 
personnel. The control point is the door or the gate for access, and should be equipped 
with another sensor such as Infrared (IR) and/or motion-detecting security camera. It is 
preferrable to use a balanced magnetic switch (BMS) on the door coupled with IR sensor 
inside the storage room. In addition to the above tools, a UPS power electricity backup 
unit should be installed for this electronic system. The site should also have fire and 
smoke detectors. In the case of an emergency alarm, the facility security team must be 


notified immediately and start taking action without delay. 


3.5.3 Response 

The facility security service must have sufficiently detailed information about the 
storage room/pit, and about the potential hazards associated with the sources for when 
emergencies occur. The security personnel should have multiple ways to communicate 
in any emergency, e.g., telephone (landline), mobile phone (cell phone), and walkie- 
talkies. They should have the contact number of the mobile phone of the RSO at the site 


location. 
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I highly recommended that the security team practice dealing with different attack and 
emergency scenarios. They must understand the security vulnerabilities, likely attack 


scenarios, and perform regular tests of security and fire alarm systems. 


3.5.4 Installation of physical security fence (protective barrier) 

A security fence for this type of radiological category is necessary. The fence should 
surround the perimeter of the storage site with one metal entrance gate (external entry 
point). The metal gate must have a mechanical lock with a radiation warning sign on the 
main entrance to the storage site. I suggest building sufficient isolation zones between 
the security fence and the storage site. The function of the security fence is to define the 
perimeter of a restricted area where unauthorized entry is not allowed, prevent 
accidental entry, enhance detection and the capture of intruders, and restrict access 


through portals to only authorized personnel.[55]| 


Figure 3 depicts a schematic of the concept of defense-in-depth, with 4 layers. The 
storage room/pit is located in the center of the facility such as a research center, 
university, or company. The main entrance and the perimeter of this facility represent 
the first layer of defense. The area of the suggested storage site has an enclosed perimeter 
fence or wall (metal or concrete) for the second layer of security. Access to the storage 
room should be controlled by the use of an identification card and a visual check from the 
security personnel. The third layer of security is the security fence around the storage 
facility or the wall of the storage room itself in the absence of the security fence. Finally, 
the proposed metal cabinet inside the storage room represents the fourth level of 


defense. 


47 


Journal of Physical Security 14(1), 37-52 (2021) 


Level 1: Facility Perimeter Fence 
(University/Research Center/Company) 


Level 2: Security Fence line around 
the storage site 


Level 3: Wall of the storage room 


Level 4: The wall of the suggested 
metal cabinet 


Source enclosure 
(Industrial radiography source) 


Figure 3. A schematic of proposed layered security for radiological sealed sources. 


AYLINIIS SUISevaIOU] 


4. Conclusion 


This paper offered guidelines and my personal suggestions for providing effective 
security for category 2 radiological sources, such as 1°7Ir. These suggestions include 
understanding the differences and similarities of safety versus security, recognizing the 
risks that sealed radiological sources represent for terrorists creating radiological 
dispersal devices (RDDs), following existing international radiological security and safety 
guidelines, leveraging the potential advantages of layered security, and having proper 
security design and employee training for storage rooms or pits for seal radiological 


sources. 
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